5 results (0.036 seconds)

CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0

The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level. • https://me.sap.com/notes/3088078 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-862: Missing Authorization •

CVSS: 9.9EPSS: 5%CPEs: 11EXPL: 2

SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Denial of Service. SAP Business Warehouse, versiones 700, 701, 702, 711, 730, 731, 740, 750, 782 y SAP BW/4HANA, versiones 100, 200, permiten a un atacante poco privilegiado inyectar código usando un módulo de función habilitado de forma remota a través de la red. Por medio del módulo de función, un atacante puede crear un reporte ABAP malicioso que podría ser usado para obtener acceso a datos confidenciales, para inyectar sentencias UPDATE maliciosas que también podrían tener un impacto en el sistema operativo, para interrumpir la funcionalidad del sistema SAP que, por lo tanto, puede conducir a una denegación de servicio The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected. • http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html http://seclists.org/fulldisclosure/2022/May/42 https://launchpad.support.sap.com/#/notes/2999854 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.9EPSS: 2%CPEs: 12EXPL: 2

The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system. La Interfaz de Base de Datos de BW permite a un atacante con pocos privilegios ejecutar cualquier consulta de la base de datos diseñada, exponiendo la base de datos del backend. Un atacante puede incluir sus propios comandos SQL que la base de datos ejecutará sin sanear apropiadamente los datos no confiables, conllevando a una vulnerabilidad de inyección SQL que puede comprometer por completo el sistema SAP afectado The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected. • http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html http://seclists.org/fulldisclosure/2022/May/42 https://launchpad.support.sap.com/#/notes/2986980 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 2

The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table. La interfaz de Base de Datos de BW no lleva a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios que permite al usuario leer prácticamente cualquier tabla de la base de datos The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected. • http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html http://seclists.org/fulldisclosure/2022/May/42 https://launchpad.support.sap.com/#/notes/2986980 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 • CWE-862: Missing Authorization •

CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 0

SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it. SAP Business Warehouse, versiones: 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782 y SAP BW4HANA, versiones: 100, 200 permite a un atacante autenticado con (altos) privilegios de desarrollador enviar una petición diseñada para generar y ejecutar código sin ser necesario una interacción del usuario. Es posible diseñar una petición que resultará en una ejecución de comandos del Sistema Operativo conllevando a una vulnerabilidad de Inyección de Código que podría comprometer completamente la confidencialidad, integridad y disponibilidad del servidor y cualquier dato u otras aplicaciones que se ejecuten en él • https://launchpad.support.sap.com/#/notes/2983367 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •